Merge branch '__acl_improvements_vol2' into 'master'
__acl improvements vol 2 See merge request ungleich-public/cdist!780
This commit is contained in:
commit
bd27d432b1
3 changed files with 26 additions and 45 deletions
|
@ -18,7 +18,7 @@
|
||||||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
#
|
#
|
||||||
|
|
||||||
[ ! -e "/$__object_id" ] && exit 0
|
# TODO check if filesystem has ACL turned on etc
|
||||||
|
|
||||||
for parameter in user group
|
for parameter in user group
|
||||||
do
|
do
|
||||||
|
@ -40,7 +40,8 @@ do
|
||||||
|
|
||||||
if ! getent "$getent_db" "$check" > /dev/null
|
if ! getent "$getent_db" "$check" > /dev/null
|
||||||
then
|
then
|
||||||
echo "missing $parameter '$check'"
|
echo "missing $parameter '$check'" >&2
|
||||||
|
exit 1
|
||||||
fi
|
fi
|
||||||
done \
|
done \
|
||||||
< "$__object/parameter/$parameter"
|
< "$__object/parameter/$parameter"
|
|
@ -20,15 +20,7 @@
|
||||||
|
|
||||||
file_is="$( cat "$__object/explorer/file_is" )"
|
file_is="$( cat "$__object/explorer/file_is" )"
|
||||||
|
|
||||||
[ "$file_is" = 'missing' ] && exit 0
|
[ "$file_is" = 'missing' ] && [ -z "$__cdist_dry_run" ] && exit 0
|
||||||
|
|
||||||
missing_users_groups="$( cat "$__object/explorer/missing_users_groups" )"
|
|
||||||
|
|
||||||
if [ -n "$missing_users_groups" ]
|
|
||||||
then
|
|
||||||
echo "$missing_users_groups" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
os="$( cat "$__global/explorer/os" )"
|
os="$( cat "$__global/explorer/os" )"
|
||||||
|
|
||||||
|
@ -56,7 +48,7 @@ do
|
||||||
then
|
then
|
||||||
[ "$file_is" = 'directory' ] && rep=x || rep=-
|
[ "$file_is" = 'directory' ] && rep=x || rep=-
|
||||||
|
|
||||||
acl="$( echo "$acl" | sed "s/\(.*\)X/\1$rep/" )"
|
acl="$( echo "$acl" | sed "s/\\(.*\\)X/\\1$rep/" )"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "$parameter" | grep -Eq '(mask|other)' && sep=:: || sep=:
|
echo "$parameter" | grep -Eq '(mask|other)' && sep=:: || sep=:
|
||||||
|
@ -72,7 +64,7 @@ setfacl_exec='setfacl'
|
||||||
|
|
||||||
if [ -f "$__object/parameter/recursive" ]
|
if [ -f "$__object/parameter/recursive" ]
|
||||||
then
|
then
|
||||||
if echo "$os" | grep -Eq 'macosx|freebsd'
|
if echo "$os" | grep -Fq 'freebsd'
|
||||||
then
|
then
|
||||||
echo "$os setfacl do not support recursive operations" >&2
|
echo "$os setfacl do not support recursive operations" >&2
|
||||||
else
|
else
|
||||||
|
@ -82,41 +74,33 @@ fi
|
||||||
|
|
||||||
if [ -f "$__object/parameter/remove" ]
|
if [ -f "$__object/parameter/remove" ]
|
||||||
then
|
then
|
||||||
if echo "$os" | grep -Fq 'solaris'
|
echo "$acl_is" | while read -r acl
|
||||||
then
|
do
|
||||||
# Solaris setfacl behaves differently.
|
# Skip wanted ACL entries which already exist
|
||||||
# We will not support Solaris for now, because no way to test it.
|
# and skip mask and other entries, because we
|
||||||
# But adding support should be easy (use -s instead of -m on modify).
|
# can't actually remove them, but only change.
|
||||||
echo "$os setfacl do not support -x flag for ACL remove" >&2
|
if echo "$acl_should" | grep -Eq "^$acl" \
|
||||||
else
|
|| echo "$acl" | grep -Eq '^(default:)?(mask|other)'
|
||||||
echo "$acl_is" | while read -r acl
|
then continue
|
||||||
do
|
fi
|
||||||
# Skip wanted ACL entries which already exist
|
|
||||||
# and skip mask and other entries, because we
|
|
||||||
# can't actually remove them, but only change.
|
|
||||||
if echo "$acl_should" | grep -Eq "^$acl" \
|
|
||||||
|| echo "$acl" | grep -Eq '^(default:)?(mask|other)'
|
|
||||||
then continue
|
|
||||||
fi
|
|
||||||
|
|
||||||
if echo "$os" | grep -Eq 'macosx|freebsd'
|
if echo "$os" | grep -Fq 'freebsd'
|
||||||
then
|
then
|
||||||
remove="$acl"
|
remove="$acl"
|
||||||
else
|
else
|
||||||
remove="$( echo "$acl" | sed 's/:...$//' )"
|
remove="$( echo "$acl" | sed 's/:...$//' )"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "$setfacl_exec -x \"$remove\" \"$acl_path\""
|
echo "$setfacl_exec -x \"$remove\" \"$acl_path\""
|
||||||
echo "removed '$remove'" >> "$__messages_out"
|
echo "removed '$remove'" >> "$__messages_out"
|
||||||
done
|
done
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
for acl in $acl_should
|
for acl in $acl_should
|
||||||
do
|
do
|
||||||
if ! echo "$acl_is" | grep -Eq "^$acl"
|
if ! echo "$acl_is" | grep -Eq "^$acl"
|
||||||
then
|
then
|
||||||
if echo "$os" | grep -Eq 'macosx|freebsd' \
|
if echo "$os" | grep -Fq 'freebsd' \
|
||||||
&& echo "$acl" | grep -Eq '^default:'
|
&& echo "$acl" | grep -Eq '^default:'
|
||||||
then
|
then
|
||||||
echo "setting default ACL in $os is currently not supported. sorry :(" >&2
|
echo "setting default ACL in $os is currently not supported. sorry :(" >&2
|
||||||
|
|
|
@ -10,11 +10,7 @@ DESCRIPTION
|
||||||
-----------
|
-----------
|
||||||
ACL must be defined as 3-symbol combination, using ``r``, ``w``, ``x`` and ``-``.
|
ACL must be defined as 3-symbol combination, using ``r``, ``w``, ``x`` and ``-``.
|
||||||
|
|
||||||
Fully supported on Linux (tested on Debian and CentOS).
|
Fully supported and tested on Linux (ext4 filesystem), partial support for FreeBSD.
|
||||||
|
|
||||||
Partial support for FreeBSD, OSX and Solaris.
|
|
||||||
|
|
||||||
OpenBSD and NetBSD support is not possible.
|
|
||||||
|
|
||||||
See ``setfacl`` and ``acl`` manpages for more details.
|
See ``setfacl`` and ``acl`` manpages for more details.
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue